Configuring SSL Communication

This section contains procedures that help you to choose encryption
ciphers.

Disabling Non Secure Communication

When a server instance is created, both an LDAP clear port and a secure
LDAP port (LDAPS) are created by default. However, there might be situations
where you want to disable non-SSL communications so that the server communicates
only through SSL.

To Disable the LDAP Clear Port

To disable the non secure
point, you must bind to the LDAP secure port. This example shows a bind to
the default LDAP secure port, 1636, on the host server host1.

$ dsconf set-server-prop -h host1 -P 1636 ldap-port:disabled

Restart the server for the change to take effect.

$ dsadm restart /local/dsInst

You can now no longer bind on the non secure port 1389.

Choosing Encryption Ciphers

A cipher is the algorithm used to encrypt and
decrypt data. Generally speaking, the more bits that a cipher uses during
encryption, the stronger or more secure the encryption
is. Ciphers for SSL are also identified by the type of message authentication
used. Message authentication is another algorithm that computes a checksum that guarantees data integrity.

When a client initiates an SSL connection with a server, the client
and server must agree on a cipher to use to encrypt information. In any two-way
encryption process, both parties must use the same cipher. The cipher used
depends upon the current order of the cipher list kept by the server. The
server chooses the first cipher presented by the client that matches a cipher
in its list. The default cipher value for Directory Server is all,
which means all known secure ciphers supported by the underlying SSL library.
However, you can modify this value to only accept certain ciphers.